Strikers

Adding AD User to Group fails

24 posts in this topic

#1 ·  Posted (edited)

Hi, I'm having a little problem adding some groups to users.

In generall I can add users to groups but with some groups I'm getting an error.

Those groups that are failing are not located in the same AD tree.

The working groups are located in "DC=EU,DC=AD,DC=COMPANY,DC=COM" and the group that fails is located under "DC=AD,DC=COMPANY,DC=COM"

But if I check before if the object exist it says yes as you can see on the Console logs below.

_ADconnection()

Func _ADconnection()
    Local $SDNSDomain, $SHostServer, $SConfiguration

    ; Open Connection to the Active Directory
    _AD_Open()
    $SDNSDomain = $sAD_DNSDomain
    ConsoleWrite($SDNSDomain & @CRLF)
    $SHostServer = $sAD_HostServer
    $SConfiguration = $sAD_Configuration
    _AD_Close()

    ; Open Connection to the Active Directory
    If Not _AD_Open($username, $password, $SDNSDomain, $SHostServer, $SConfiguration) Then
        MsgBox(16, "Information", "The logon for '" & $username & "' was not succcessful!")
    EndIf
EndFunc


$sAD_GROUP = "CN=Office 365,CN=Users,DC=AD,DC=COMPANY,DC=COM"
If _AD_ObjectExists(sAD_GROUP, "distinguishedName") = 0 Then ConsoleWrite("AD GROUP exists: " & sAD_GROUP & @CRLF)

$sUser = "CN=test user36,OU=Test,OU=Users,OU=COUNTRY,DC=EU,DC=AD,DC=COMPANY,DC=COM"
If _AD_ObjectExists($sUser, "distinguishedName") = 0 Then ConsoleWrite("User exists: " & $sUser & @CRLF)

Global $iValue = _AD_AddUserToGroup($sAD_GROUP, "CN=test user36,OU=Test,OU=Users,OU=COUNTRY,DC=EU,DC=AD,DC=COMPANY,DC=COM")
If $iValue = 1 Then
    $tmp1 = "assigned to group '" & $sAD_GROUP & "'"
ElseIf @error = 1 Then
    $tmp1 = "ERROR: Group '" & $sAD_GROUP & "' does not exist"
ElseIf @error = 2 Then
    $tmp1 = "ERROR: User does not exist"
ElseIf @error = 3 Then
    $tmp1 = "is already a member of group '" & $sAD_GROUP & "'"
Else
    $tmp1 = "ERROR: code'" & @error & "' with group: " & "'" & $sAD_GROUP & "'"
EndIf

ConsoleWrite($tmp1 & @CRLF)

 

Console Logs:

DC=EU,DC=AD,DC=COMPANY,DC=COM
AD GROUP exists: CN=Office 365,CN=Users,DC=AD,DC=COMPANY,DC=COM
User exists: CN=test user36,OU=Test,OU=Users,OU=DACH,DC=EU,DC=AD,DC=COMPANY,DC=COM
ERROR: Group 'CN=Office 365,CN=Users,DC=AD,DC=COMPANY,DC=COM' does not exist

 

Any idea what I'm doing wrong with this groups and how I can fix it?

 

Thanks!

Edited by Strikers

Share this post


Link to post
Share on other sites



Maybe this is helpful:

 

Share this post


Link to post
Share on other sites

@Strikers It looks like you are trying to add a user to a group, but you are specifying an OU instead.  Are you sure you aren't trying to just move the user into the OU?  An AD group is not the same thing as an Organization Unit (OU).  

Share this post


Link to post
Share on other sites

Hi spudw2k,

sorry I had a naming issue in my post as I just quickly copied some script of an existing one.

I changed now $sOU to $sAD_GROUP to have it correct. It is definitely a group and not an OU that I want to add to the user.

Share this post


Link to post
Share on other sites

Sorry for the confusion. I wasn't referring to the variable nomenclature; you were right though, I should've paid closer attention and noticed the string was a group object and not an OU container/path.   According to the AD UDF documentation, if _AD_ObjectExists returns 0 (and @error = 1), then a failure occurred.  In your script you are doing a consolewrite if the objectexists function returns 0, which seems misleading.

Am I missing something?

Share this post


Link to post
Share on other sites

Hi spudw2k,

yes you are right, the function gave me the wrong result. objectexists function returns 0 is of course a failure not a success as I wrote. In that case the function works as designed as the group can't be found.

Not sure though what I have to do in order for the script to find the group as it does exist, but one level higher.

A group e.g. named like EU.AD.COMPANY.COM/Users/TEST can be found and added, but the needed group is under AD.COMPANY.COM/Users/Office 365

If I search through AD via "Active Directory Users and computers" I have to choose "entire Directory" in order to find the "Office 365" group as I'm located in eu.ad.company.com and not in ad.company.com

I tried changing the value of $SDNSDomain manually to DC=AD,DC=COMPANY,DC=COM which also gives the same failing result.

I corrected the script:

_ADconnection()

Func _ADconnection()
    Local $SDNSDomain, $SHostServer, $SConfiguration

    ; Open Connection to the Active Directory
    _AD_Open()
    $SDNSDomain = $sAD_DNSDomain
    ConsoleWrite($SDNSDomain & @CRLF)
    $SHostServer = $sAD_HostServer
    $SConfiguration = $sAD_Configuration
    _AD_Close()

    ; Open Connection to the Active Directory
    If Not _AD_Open($username, $password, $SDNSDomain, $SHostServer, $SConfiguration) Then
        MsgBox(16, "Information", "The logon for '" & $username & "' was not succcessful!")
    EndIf
EndFunc

;checking if AD group exist exists:
ConsoleWrite("1) checking if AD group exist exists:" & @CRLF)
$sAD_GROUP = "CN=Office 365,CN=Users,DC=AD,DC=COMPANY,DC=COM"
$iAD_GROUP = _AD_ObjectExists($sAD_GROUP, "distinguishedName")

    If $iAD_GROUP = 1 Then
        ConsoleWrite("AD Group exists: " & $sAD_GROUP & @CRLF)
    ElseIf @error = 1 Then
        ConsoleWrite("ERROR: AD group '" & $sAD_GROUP & "' does not exist" & @CRLF)
    Else
        ConsoleWrite("ERROR: code " & @error & @CRLF)
    EndIf


;checking if user exist:
ConsoleWrite("2) checking if user exist:" & @CRLF)
$sUser = "CN=test user36,OU=Test,OU=Users,OU=COUNTRY,DC=EU,DC=AD,DC=COMPANY,DC=COM"
$iUser = _AD_ObjectExists($sUser, "distinguishedName")

    If $iUser = 1 Then
        ConsoleWrite("User exists: " & $sUser & @CRLF)
    ElseIf @error = 1 Then
        ConsoleWrite("ERROR: User '" & $sUser & "' does not exist" & @CRLF)
    Else
        ConsoleWrite("ERROR: code " & @error & @CRLF)
    EndIf


;adding group to user:
ConsoleWrite("3) adding group to user:" & @CRLF)
Global $iValue = _AD_AddUserToGroup($sAD_GROUP, "CN=test user36,OU=Test,OU=Users,OU=COUNTRY,DC=EU,DC=AD,DC=COMPANY,DC=COM")
If $iValue = 1 Then
    $tmp1 = "assigned to group '" & $sAD_GROUP & "'"
ElseIf @error = 1 Then
    $tmp1 = "ERROR: Group '" & $sAD_GROUP & "' does not exist"
ElseIf @error = 2 Then
    $tmp1 = "ERROR: User does not exist"
ElseIf @error = 3 Then
    $tmp1 = "is already a member of group '" & $sAD_GROUP & "'"
Else
    $tmp1 = "ERROR: code'" & @error & "' with group: " & "'" & $sAD_GROUP & "'"
EndIf

ConsoleWrite($tmp1 & @CRLF)

 

Console Logs:

DC=EU,DC=AD,DC=COMPANY,DC=COM
1) checking if AD group exist exists:
ERROR: AD group 'CN=Office 365,CN=Users,DC=AD,DC=COMPANY,DC=COM' does not exist
2) checking if user exist:
User exists: CN=test user36,OU=Test,OU=Users,OU=DACH,DC=EU,DC=AD,DC=COMPANY,DC=COM
3) adding group to user:
ERROR: Group 'CN=Office 365,CN=Users,DC=AD,DC=COMPANY,DC=COM' does not exist

 

Share this post


Link to post
Share on other sites

The problem is caused by the AD UDF not supporting connections to multiple domains at the same time.
Another user had a similar problem and he solved it by modifying the function and let a PowerShell script do the cross domain things.


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2017-04-18 - Version 1.4.8.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2017-02-27 - Version 1.3.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
PowerPoint (2015-06-06 - Version 0.0.5.0) - Download - General Help & Support

Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites

#8 ·  Posted (edited)

Text deleted - double post.

Edited by water

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2017-04-18 - Version 1.4.8.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2017-02-27 - Version 1.3.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
PowerPoint (2015-06-06 - Version 0.0.5.0) - Download - General Help & Support

Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites

Would it be helpful to make the following changes to the AD UDF?

  • With a flag function _AD_Open opens a connection to the specified domain controller AND the global catalogue
  • Some/all functions that just query AD would use the global catalog
  • All write functions would use the specified DC

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2017-04-18 - Version 1.4.8.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2017-02-27 - Version 1.3.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
PowerPoint (2015-06-06 - Version 0.0.5.0) - Download - General Help & Support

Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites

Hi water,

first of all I would like to thank you for the enormous work you do with that AD UDF! It helps a lot with my daily work and I don't want to miss it anymore.

And yes it would be (at least for me) helpful to have a flag to be able to search the global catalog for some functions as I'm a bit lost on how to do that myself.

Share this post


Link to post
Share on other sites

I think I will implement this feature in a new function: _AD_OpenGC (Open connection to global catalog).
You would call _AD_Open as before. If you want to run (all) query functions against the global catalog then call _AD_OpenGC in addition.
What do you think?


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2017-04-18 - Version 1.4.8.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2017-02-27 - Version 1.3.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
PowerPoint (2015-06-06 - Version 0.0.5.0) - Download - General Help & Support

Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites

Hi water,

I would appreciate the implementation of this new function. It would fix some problems that I'm facing now.

Thanks!

Share this post


Link to post
Share on other sites

#13 ·  Posted (edited)

It took some time but here you find the first try.

I simply added a second Open function (_AD_OpenGC) to the Global Catalog. Everytime an existing object needs to be retrieved the GC is now accessed.
You can change this behaviour by setting variable $bUseGC to True/False.

All other functions access the DC opened with _AD_Open.

You need to use _AD_OpenGC as described in the wiki for accessing the GC (means you need to provide the port number).

As I can't test I'm sure there are a lot of bugs - so please be carefull!!

 

Edited by water
Deleted the attachment because I added the AD UDF in my next post

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2017-04-18 - Version 1.4.8.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2017-02-27 - Version 1.3.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
PowerPoint (2015-06-06 - Version 0.0.5.0) - Download - General Help & Support

Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites

#14 ·  Posted (edited)

On 11/6/2016 at 9:22 AM, water said:

As I can't test I'm sure there are a lot of bugs - so please be carefull!!

AD.au3

Line 4757: Missing EndIf

 

Also, When using _AD_Close w/o using _AD_OpenGC

Line: 547: ==> Variable must be of type "Object".:
$__oAD_ConnectionGC.Close()
$__oAD_ConnectionGC^ ERROR

 

If I change Line 547 to:

If $bUseGC Then $__oAD_ConnectionGC.Close()

it works fine (In terms of initial script execution).

Edited by Surf243
New Error

Share this post


Link to post
Share on other sites

Thanks! Will check tomorrow.


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2017-04-18 - Version 1.4.8.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2017-02-27 - Version 1.3.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
PowerPoint (2015-06-06 - Version 0.0.5.0) - Download - General Help & Support

Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites

New version of the UDF!

I fixed the bugs and renamed the function to _AD_Open2 because you can not just connect to the GC but to a second DC or the GC as with _AD_Open.
You can change this behaviour by setting variable $bUseConnection2 to True/False.

As I can't test I'm sure there are a lot of bugs - so please be carefull!!

 

AD.au3


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2017-04-18 - Version 1.4.8.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2017-02-27 - Version 1.3.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
PowerPoint (2015-06-06 - Version 0.0.5.0) - Download - General Help & Support

Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites

#17 ·  Posted (edited)

So I tested the New UDF. I ran into some issues. Regardless of the $bUseConnection2 it would still refer to the first domain

Here's the test I ran:

#include 'AD.au3'
#include <Array.au3>

Global $Domain1 = "domain1.com"
Global $Domain2 = "domain2.com"


_AD_Open("", "", "", $Domain1, "", 1)
If Not @error Then
    ConsoleWrite("AD Test 1 - Completed" & @CRLF)
    _AD_Open2("", "", "", $Domain2, "", 1)
    If Not @error Then
        ConsoleWrite("AD Test 2 - Completed" & @CRLF)
    Else
        _ArrayDisplay(_AD_GetlastADSIError(), "Error: _AD_Open 2", Default, 32)
    EndIf
Else
    _ArrayDisplay(_AD_GetlastADSIError(), "Error: _AD_Open", Default, 32)
EndIf

$bUseConnection2 = False
Global $aDC = _AD_ListDomainControllers() ; Domain 1 DC's
_ArrayDisplay($aDC)

$bUseConnection2 = True
Global $aDC = _AD_ListDomainControllers() ; Returns Domain 1 DC's (Should be Domain 2)
_ArrayDisplay($aDC)

I looked at what you did in the UDF and it sparked an idea. I modified it so you can connect to 2 DC's and switch between the two without having to modify any other function. However, I still wasn't able to add a user from Domain 2 to a group in Domain 1.... That is, until I modified _AD_AddUserToGroup & _AD_RemoveUserFromGroup

This is how it's used:

_AD_Open1 - First Connection

_AD_Open2 - Second Connection

_AD_SetAD($bUseConnection2) ; False sets the first Domain, True sets the second Domain. If you don't set it then no functions will work.

$bADMixed ; True allows you to add a user from Domain 2 to a group in Domain 1. Like This:

Global $aSID = _Security__LookupAccountName("SomeUserName", $Domain2)
$bADMixed = True
_AD_AddUserToGroup("Group1", $aSID[0], "objectSID")

Take a look at what I did. It's quick and dirty just to make it functional.

AD_Surf243.au3

Edited by Surf243
Forgot to #include <Array.au3>

Share this post


Link to post
Share on other sites

I think you need to set parameters 3, 4 and 5 as described in the wiki: https://www.autoitscript.com/wiki/Active_Directory_UDF_-_General#To_another_domain


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2017-04-18 - Version 1.4.8.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2017-02-27 - Version 1.3.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
PowerPoint (2015-06-06 - Version 0.0.5.0) - Download - General Help & Support

Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites
19 hours ago, water said:

I think you need to set parameters 3, 4 and 5 as described in the wiki: https://www.autoitscript.com/wiki/Active_Directory_UDF_-_General#To_another_domain

Same Results. Since I can't post the actual DC's I took a count of them instead.

#include 'AD.au3'

Global $aDC
Global $Domain1 = "dc1.mydomain1.com"
Global $DNS1 = "dc=mydomain1,dc=com"
Global $Config1 = "cn=Configuration,dc=mydomain1,dc=com"

Global $Domain2 = "dc1.mydomain2.com"
Global $DNS2 = "dc=mydomain2,dc=com"
Global $Config2 = "cn=Configuration,dc=mydomain1,dc=com"

ConsoleWrite(@CRLF)
Domain1Test()
Domain2Test()
FullTest()
ConsoleWrite(@CRLF)

Func Domain1Test()
    _AD_Open("", "", $DNS1, $Domain1, $Config1)
    If Not @error Then
        $aDC = _AD_ListDomainControllers()
        ConsoleWrite("Domain1Test|# of DC's: " & @TAB & @TAB & UBound($aDC) & @CRLF)
        $aDC = 0
    EndIf
    _AD_Close()
EndFunc

Func Domain2Test()
    _AD_Open("", "", $DNS2, $Domain2, $Config2)
    If Not @error Then
        $aDC = _AD_ListDomainControllers()
        ConsoleWrite("Domain2Test|# of DC's: " & @TAB & @TAB & UBound($aDC) & @CRLF)
        $aDC = 0
    EndIf
    _AD_Close()
EndFunc

Func FullTest()
    _AD_Open("", "", $DNS1, $Domain1, $Config1)
    If Not @error Then
        _AD_Open2("", "", $DNS2, $Domain2, $Config2)
        If Not @error Then
            ; Domain 1
            $bUseConnection2 = False
            $aDC = _AD_ListDomainControllers()
            ConsoleWrite("Domain1FullTest|# of DC's: " & @TAB & UBound($aDC) & @CRLF)
            $aDC = 0

            ; Domain 2
            $bUseConnection2 = True
            $aDC = _AD_ListDomainControllers()
            ConsoleWrite("Domain2FullTest|# of DC's: " & @TAB & UBound($aDC) & @CRLF)
            $aDC = 0
        EndIf
    EndIf
    _AD_Close()
EndFunc

 

DCtest.JPG

Share this post


Link to post
Share on other sites

The problem is that - at the moment - only the internal function __AD_ObjGet makes use of two AD connections.
The goal was to implement some limited kind of multi domain support to the UDF. To make it fully multi domain aware would be a massive rewrite.

I would now ask for real life examples where users need multi domain support and I would then try to implement this into the needed functions of the UDF.


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2017-04-18 - Version 1.4.8.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2017-02-27 - Version 1.3.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
PowerPoint (2015-06-06 - Version 0.0.5.0) - Download - General Help & Support

Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now